Nine-point analysis of database security vulnerabilities

There are many ways of database vulnerability, because each realistic scene is composed of multidimensional combination, so database vulnerability correspondence can also be classified from different angles. This classification will be more useful for us to master the protection techniques for each vulnerability. An Huaqin and database security labs mainly classify database vulnerabilities from the following nine perspectives:

1. Partitioning from vulnerability scope

Remote Vulnerability : An attacker could exploit and initiate a vulnerability to a database attack directly over the network. Such vulnerabilities are extremely harmful, and attackers can exploit this vulnerability to compromise a recognizable database on the network. Such vulnerabilities are the main force for hackers to exploit vulnerabilities.

local attack : An attacker must have access to this computer to initiate an exploit. There is a typical local privilege elevation vulnerability, which is widely available in the database, allowing the average user to gain maximum administrator privileges.

2. Classification from vulnerability hazards

Vulnerability level is divided into three grades: 0-3 (Low), 4-6 (MEDIUM) and 7-10 (high), according to the CVE score. The hazard classification of a hole is divided by what effect a vulnerability can have on a database. The greater the impact on the confidentiality, security, availability of the database, the higher the threat level, the lower the risk level. To illustrate:

cve-2006-1705 Hazard rating is low. It has no effect on database system files and may cause some configuration files in the database to be modified without any effect on database operation.

cve-2006-1871 danger rating is medium. It is only likely to cause some information disclosure that could cause some configuration files in the database to be modified, which could result in degraded database performance or a small chance of broken links.

cve-2006-3702 danger rating is high. It can cause all database system files to be compromised, the database is completely destroyed, and the database may be completely shut down.

3. Partitioning from affected systems

Existing operating systems are diverse, and each system corresponds to multiple versions. The operating system is divided into the following five categories: DOS systems, Windows systems, UNIX systems, Linux systems, and other operating systems. Because the vulnerability injection point address is directly related to the specific version of the operating system, it needs to be broken down according to the specific version of the operating system. In Oracle, for example, because different operating systems have different defensive mechanisms for buffer overflow, there is basically no cross-platform potential for such vulnerabilities.

4. From the vulnerability of the scope of the Division

Vulnerability refers to the various hazards caused by the exploit. The harm of this paper refers to the direct harm to the database or the harm of using the database to other systems. These hazards can be categorized into three categories:

Harm the database itself, such a vulnerability is mainly to the database itself to attack. This type of vulnerability in this article 5, from the hacker invasion of the database in the section of the Technical Division is explained in detail.

The server that is endangering the database, which exploits the server through the database. The means can be divided into: Run OS commands through PL/SQL, run OS commands through Java, run OS commands directly from the Task Scheduler, run OS commands with ALTER SYSTEM, and Oracle can be used to compile local pl/in some versions of Oracle SQL application way to run OS commands.

A file system that endangers the system on which the database resides, which attacks the file system on the server through a database. The means can be divided into: using the Utl_file package to access the file system, Java access to the file system, the use of operating system environment variables to access the file system.

Compromise other platforms on the network where the database is located, which invade other databases and services on the network through the database.

5. From the hacker Intrusion Database Technology Division 5.1 SQL Injection

SQL This article says that the Sqlsql injection is not a web-side, but a sqlsql injection vulnerability to the database itself. The difference between the two is very large. The idea of PL/SQL injection is very simple,

Add malformed strings or other malformed inputs for database vulnerabilities or database setup flaws in normal SQL statements by embedding, commenting, escape characters, and so on. Gain higher permissions in the database with one or more of these malformed inputs, eventually obtaining sensitive information in the database or directly seizing database DBA authority. This may compromise the network environment in which the database resides and the local server.

Means are specifically divided into:

Code injection

Code injection attacks exist in data that supports multiple SQL statement executions. It is done by hackers in the normal statement by adding malicious execute command to complete the attack.

function call Injection

Function call injection is a variant of code injection, but it is the core of the entire SQL injection. It uses a database vulnerability to inject malicious statements into it. Specific methods are divided into:

Inject Select/delete/insert/update statement

Injection function

Inject anonymous PL/SQL blocks

Cursor Injection

Using triggers

Lateral Power Technology

There are also segments in each of these technologies, such as lateral, the most notable of which is the Create Ant TRIGGER privilege dba, the Create Ant VIEW permission to the DBA, the EXECUTE any procedure permission to the DBA, the Create Proceduer permission to the DBA.

Buffer overflow injection This buffer overflow and the following buffer overflow are not one. This buffer overflow is a buffer overflow in which some parameters in a database system function are passed over the value of the parameter length limit.

for SQL The most common operation injection is to use the WHERE clause to modify the SQL statement to return different result sets to achieve the purpose of getting database-sensitive information.

5.2 Buffer Overflow

Buffer overflow: The buffer overflow referred to here means that when the data from the source buffer is copied to a buffer less than its own number of bits, it goes beyond the bit boundary of the target buffer, and the database does not make a boundary judgment on the data being deposited, resulting in the target buffer being full. Target buffer memory changes control flow, capture operating system, prohibit access and many other results. Buffer overflows can be divided into four main types: static data overflow, stack overflow, heap overflow, and format string.

Means are specifically divided into:

Stack Overflow

One of the main buffer overflows is the stack overflow by using the Intercept function return value. The way is mainly divided into two kinds, one is to change the function logic flow through buffer overflow, another way is to change the function return address through buffer overflow. One of the more common is the second type.

Heap Overflow

Buffer overflow, the use of the principle of similar stack overflow, but because the address in the heap is dynamically allocated, can not be accurately located, so the hacker to use the heap overflow through the DWORD shoot technology to scan the heap, to get the address of the heap overflow can be used.

static Data area Overflow

Static data regions hold contiguous global variables and uninitialized static variables, where a buffer overflow is called a static data area overflow.

formatting strings

The most notable example of a format string vulnerability is the output of the data in a certain format in the *printf () series function. Hackers mainly use the printf () series functions have three special properties, first, the first can be exploited by the nature is: *printf () series of functions of the number of parameters is not fixed. Second, using a special format character of *printf ()%n, the hacker writes exploit to memory. Again, use the additional format character to control the value of the jump address.

5.3 Other

Weak password: usually refers to the easy to be guessed by others or cracked tool password are weak password, a large part of which is the database default password, which is partly due to the default password generated.

Pool : Access attempts are made to the target database through the collected user names and passwords that are registered in other services. Since many people are accustomed to using the same password and account number, the likelihood of successful landing into the target database is greatly increased, and the purpose of stealing a lot of sensitive information is reached.

Brute Force : A data dictionary (password Vault) that collides with the user name of the database and eventually touches the combination of users and passwords that can be used to access the database.

6. Dividing the causes of database vulnerabilities

1. Input validation Error

This kind of error mainly comes from the lack of correct and reasonable verification of input values such as String, packet, and so on, which causes the input value of the deformity to enter the database system function, which can cause unpredictable consequences to the database.

1. Boundary condition Error

Because the database is a large and complex software, the software internal function calls are too complex, sometimes there will be a boundary for an incoming value, different local restrictions, may adversely affect the database.

1. Buffer overflow Error

Due to the lack of boundary restrictions and checks on parameter values in some functions in the database, a database vulnerability is exposed.

1. Access validation Error

Access verification error is mainly in the database network monitoring, hackers by sending fraudulent packets, to defraud the database important information.

1. Unexpected condition error

Due to the complexity of the logic in the database, some of the logical branches that are rarely triggered are not discovered in time due to the software cycle and other reasons.

1. Other errors

(others)

In addition to the database vulnerabilities caused by the above-mentioned five categories of causes, most of the other errors are caused by the failure of the user to operate and configure as required by the database, or the design flaws in the database itself, when using the database.

7. Dividing the results from exploits

Unauthorized access: access to data that is otherwise inaccessible, including read and write. This is usually the core purpose of an attacker and can cause very serious disasters (such as bank data being writable).

Power: through ultra vires, and so on, to a low-privileged user to elevate permissions, step by step until the DBA authority. Use the right account to steal core data from the database.

denial of service : An attacker forces the target database to stop providing services, which is one of the most common attack methods used by hackers. The expendable attack on the database port is only a small part of the denial of service attack, which is a denial of service attack if the database service is suspended or the host computer freezes.

capture the operating system : when hackers through the network to attack the database, the use of buffer vulnerability attack by hijacking the function in the intrusion function return value in the stack, to seize the function control, jump to the hacker wrote Shellcode. When Shellcode opens cmd (Windows), it can manipulate the operating system through the database account, thus capturing the entire operating system.

Authentication Bypass : The vulnerability of the authentication system is often exploited without the authorization to enter the system. Generally, authentication bypass is for elevation of privilege or direct data access service.

8. Dividing the location of data inventory vulnerabilities

Because of the different names of similar functions in different databases This article illustrates Oracle as an example: the vulnerability location can be divided into TNS (monitoring) vulnerability, Aurora GIOP Server Vulnerability, XDB Component Vulnerability, DBMS_CDC_IMPDP Vulnerability, lt Component vulnerability, DBMS_CDC_ Subscribe vulnerability, Dbms_cdc_isubscribe vulnerability, Mdsys. Sdo_geom_trig_insi vulnerability, SYS. Cdc_drop_ctable_before vulnerability, Dbms_schrduler vulnerability, utl_file vulnerability, Data redaction Vulnerability, audit vulnerability, etc.

9. Dividing the time series from the vulnerability

A loophole that has been discovered for a long time

The database vendor has released patches or patches that many people already know. This type of vulnerability is usually a lot of people have been modified, macroscopic view, the harm is small.

The vulnerabilities just discovered

Database vendors have just released patches or patching methods, and know not many people. Compared to the previous vulnerability, it is more harmful, if there is a worm or a fool of the use of the program, it will lead to a large number of databases under attack. This is also the most common vulnerability that hackers exploit.

0day Vulnerability

There is no public loophole in the private transaction. Such vulnerabilities are often the most dangerous, often used by organized hackers.

The above 9 different angles of the database Vulnerability Division, combined with CVE on the database of this kind of software generated by a brief description of the vulnerability, the subsequent An Huaqin and the database Security lab will be in-depth analysis of each type of vulnerability.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1652407

Nine-point analysis of database security vulnerabilities